Bug Description

It appears that bug #1065187 also affects the v2 api. From the previous description:

Given a public, non-protected image, a non-admin user can issue a delete against that image which may delete the image from the backend storage repository. The client will get a 403 unauthorized response, but the backend delete method is called prior to checking for those permissions on the glance registry.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

- Non-admin users can cause public glance images to be deleted from the- backend storage repository in the v2 api+ [OSSA-2012-017] Non-admin users can cause public glance images to be+ deleted from the backend storage repository in the v2 api

Changed in ossa:

assignee:

nobody → Russell Bryant (russellb)

status:

New → Fix Released

summary:

- [OSSA-2012-017] Non-admin users can cause public glance images to be+ [OSSA-2012-017.1] Non-admin users can cause public glance images to be deleted from the backend storage repository in the v2 api